41 |
41 |
42 import org.xml.sax.SAXException; |
42 import org.xml.sax.SAXException; |
43 import org.xml.sax.SAXNotRecognizedException; |
43 import org.xml.sax.SAXNotRecognizedException; |
44 import org.xml.sax.SAXNotSupportedException; |
44 import org.xml.sax.SAXNotSupportedException; |
45 |
45 |
|
46 import static com.sun.xml.internal.bind.Util.getSystemProperty; |
|
47 |
46 /** |
48 /** |
47 * Provides helper methods for creating properly configured XML parser |
49 * Provides helper methods for creating properly configured XML parser |
48 * factory instances with namespace support turned on and configured for |
50 * factory instances with namespace support turned on and configured for |
49 * security. |
51 * security. |
50 * @author snajper |
52 * @author snajper |
51 */ |
53 */ |
52 public class XmlFactory { |
54 public class XmlFactory { |
53 |
55 |
54 // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used |
56 // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used |
55 public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; |
57 public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; |
|
58 public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD"; |
56 |
59 |
57 private static final Logger LOGGER = Logger.getLogger(XmlFactory.class.getName()); |
60 private static final Logger LOGGER = Logger.getLogger(XmlFactory.class.getName()); |
58 |
61 |
59 /** |
62 /** |
60 * If true XML security features when parsing XML documents will be disabled. |
63 * If true XML security features when parsing XML documents will be disabled. |
81 try { |
83 try { |
82 SchemaFactory factory = SchemaFactory.newInstance(language); |
84 SchemaFactory factory = SchemaFactory.newInstance(language); |
83 if (LOGGER.isLoggable(Level.FINE)) { |
85 if (LOGGER.isLoggable(Level.FINE)) { |
84 LOGGER.log(Level.FINE, "SchemaFactory instance: {0}", factory); |
86 LOGGER.log(Level.FINE, "SchemaFactory instance: {0}", factory); |
85 } |
87 } |
86 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, xmlFeatureValue(disableSecureProcessing)); |
88 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); |
87 return factory; |
89 return factory; |
88 } catch (SAXNotRecognizedException ex) { |
90 } catch (SAXNotRecognizedException ex) { |
89 LOGGER.log(Level.SEVERE, null, ex); |
91 LOGGER.log(Level.SEVERE, null, ex); |
90 throw new IllegalStateException(ex); |
92 throw new IllegalStateException(ex); |
91 } catch (SAXNotSupportedException ex) { |
93 } catch (SAXNotSupportedException ex) { |
107 SAXParserFactory factory = SAXParserFactory.newInstance(); |
109 SAXParserFactory factory = SAXParserFactory.newInstance(); |
108 if (LOGGER.isLoggable(Level.FINE)) { |
110 if (LOGGER.isLoggable(Level.FINE)) { |
109 LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory); |
111 LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory); |
110 } |
112 } |
111 factory.setNamespaceAware(true); |
113 factory.setNamespaceAware(true); |
112 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, xmlFeatureValue(disableSecureProcessing)); |
114 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); |
113 return factory; |
115 return factory; |
114 } catch (ParserConfigurationException ex) { |
116 } catch (ParserConfigurationException ex) { |
115 LOGGER.log(Level.SEVERE, null, ex); |
117 LOGGER.log(Level.SEVERE, null, ex); |
116 throw new IllegalStateException( ex); |
118 throw new IllegalStateException( ex); |
117 } catch (SAXNotRecognizedException ex) { |
119 } catch (SAXNotRecognizedException ex) { |
134 try { |
136 try { |
135 XPathFactory factory = XPathFactory.newInstance(); |
137 XPathFactory factory = XPathFactory.newInstance(); |
136 if (LOGGER.isLoggable(Level.FINE)) { |
138 if (LOGGER.isLoggable(Level.FINE)) { |
137 LOGGER.log(Level.FINE, "XPathFactory instance: {0}", factory); |
139 LOGGER.log(Level.FINE, "XPathFactory instance: {0}", factory); |
138 } |
140 } |
139 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, xmlFeatureValue(disableSecureProcessing)); |
141 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); |
140 return factory; |
142 return factory; |
141 } catch (XPathFactoryConfigurationException ex) { |
143 } catch (XPathFactoryConfigurationException ex) { |
142 LOGGER.log(Level.SEVERE, null, ex); |
144 LOGGER.log(Level.SEVERE, null, ex); |
143 throw new IllegalStateException( ex); |
145 throw new IllegalStateException( ex); |
144 } catch (AbstractMethodError er) { |
146 } catch (AbstractMethodError er) { |
155 try { |
157 try { |
156 TransformerFactory factory = TransformerFactory.newInstance(); |
158 TransformerFactory factory = TransformerFactory.newInstance(); |
157 if (LOGGER.isLoggable(Level.FINE)) { |
159 if (LOGGER.isLoggable(Level.FINE)) { |
158 LOGGER.log(Level.FINE, "TransformerFactory instance: {0}", factory); |
160 LOGGER.log(Level.FINE, "TransformerFactory instance: {0}", factory); |
159 } |
161 } |
160 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, xmlFeatureValue(disableSecureProcessing)); |
162 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); |
161 return factory; |
163 return factory; |
162 } catch (TransformerConfigurationException ex) { |
164 } catch (TransformerConfigurationException ex) { |
163 LOGGER.log(Level.SEVERE, null, ex); |
165 LOGGER.log(Level.SEVERE, null, ex); |
164 throw new IllegalStateException( ex); |
166 throw new IllegalStateException( ex); |
165 } catch (AbstractMethodError er) { |
167 } catch (AbstractMethodError er) { |
178 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); |
180 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); |
179 if (LOGGER.isLoggable(Level.FINE)) { |
181 if (LOGGER.isLoggable(Level.FINE)) { |
180 LOGGER.log(Level.FINE, "DocumentBuilderFactory instance: {0}", factory); |
182 LOGGER.log(Level.FINE, "DocumentBuilderFactory instance: {0}", factory); |
181 } |
183 } |
182 factory.setNamespaceAware(true); |
184 factory.setNamespaceAware(true); |
183 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, xmlFeatureValue(disableSecureProcessing)); |
185 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); |
184 return factory; |
186 return factory; |
185 } catch (ParserConfigurationException ex) { |
187 } catch (ParserConfigurationException ex) { |
186 LOGGER.log(Level.SEVERE, null, ex); |
188 LOGGER.log(Level.SEVERE, null, ex); |
187 throw new IllegalStateException( ex); |
189 throw new IllegalStateException( ex); |
188 } catch (AbstractMethodError er) { |
190 } catch (AbstractMethodError er) { |
189 LOGGER.log(Level.SEVERE, null, er); |
191 LOGGER.log(Level.SEVERE, null, er); |
190 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); |
192 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); |
191 } |
193 } |
192 } |
194 } |
193 |
195 |
194 public static SchemaFactory allowFileAccess(SchemaFactory sf, boolean disableSecureProcessing) { |
196 public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { |
195 |
197 |
196 // if feature secure processing enabled, nothing to do, file is allowed, |
198 // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied |
197 // or user is able to control access by standard JAXP mechanisms |
199 if (isXMLSecurityDisabled(disableSecureProcessing)) { |
198 if (disableSecureProcessing) { |
200 if (LOGGER.isLoggable(Level.FINE)) { |
199 return sf; |
201 LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); |
200 } |
202 } |
201 |
203 return sf; |
202 try { |
204 } |
203 sf.setProperty(ACCESS_EXTERNAL_SCHEMA, "file"); |
205 |
204 LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA)); |
206 if (System.getProperty("javax.xml.accessExternalSchema") != null) { |
|
207 if (LOGGER.isLoggable(Level.FINE)) { |
|
208 LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); |
|
209 } |
|
210 return sf; |
|
211 } |
|
212 |
|
213 try { |
|
214 sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value); |
|
215 if (LOGGER.isLoggable(Level.FINE)) { |
|
216 LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA)); |
|
217 } |
205 } catch (SAXException ignored) { |
218 } catch (SAXException ignored) { |
206 // nothing to do; support depends on version JDK or SAX implementation |
219 // nothing to do; support depends on version JDK or SAX implementation |
207 LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored); |
220 if (LOGGER.isLoggable(Level.CONFIG)) { |
|
221 LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored); |
|
222 } |
208 } |
223 } |
209 return sf; |
224 return sf; |
210 } |
225 } |
211 |
226 |
|
227 public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { |
|
228 |
|
229 // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied |
|
230 if (isXMLSecurityDisabled(disableSecureProcessing)) { |
|
231 if (LOGGER.isLoggable(Level.FINE)) { |
|
232 LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); |
|
233 } |
|
234 return sf; |
|
235 } |
|
236 |
|
237 if (System.getProperty("javax.xml.accessExternalDTD") != null) { |
|
238 if (LOGGER.isLoggable(Level.FINE)) { |
|
239 LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); |
|
240 } |
|
241 return sf; |
|
242 } |
|
243 |
|
244 try { |
|
245 sf.setProperty(ACCESS_EXTERNAL_DTD, value); |
|
246 if (LOGGER.isLoggable(Level.FINE)) { |
|
247 LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD)); |
|
248 } |
|
249 } catch (SAXException ignored) { |
|
250 // nothing to do; support depends on version JDK or SAX implementation |
|
251 if (LOGGER.isLoggable(Level.CONFIG)) { |
|
252 LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored); |
|
253 } |
|
254 } |
|
255 return sf; |
|
256 } |
|
257 |
212 } |
258 } |